ASTM E2085

1.1 This guide covers a framework for the protection of healthcare information. It addresses both storage and transmission of information. It describes existing standards used for information security which can be used in many cases, and describes which (healthcare-specific) standards are needed to complete the framework. Appropriate background information on security (and particularly cryptography) is included. The framework is designed to accommodate a very large (national or international), distributed user base, spread across many organizations, and it therefore recommends the use of certain (scaleable) technologies over others.

1.2 Electronic information exchange and sharing of data in has been the backbone of industries such as financial institutions for several years. Cost cutting measures and a real need for sharing of information are driving healthcare services toward increased use of computer-based information systems. One of the requirements for the ability to share and exchange healthcare information is that the information be protected.

1.3 Selection of standards was performed using the following criteria, which are described in more detail in 4.2.

1.3.1 Security requirements are defined in this framework, and (in some cases) in additional ASTM guidelines.

1.3.2 ASTM standard specifications are used to define protocols and message formats in support of interoperability.

1.3.3 Existing standards will be reused or extended whenever possible.

1.3.4 This framework does not address policy issues. ASTM Subcommittee E31.17 is writing standards that address these issues.

2. Referenced Documents

E1238 Specification for Transferring Clinical Observations Between Independent Computer Systems
E1384 Guide for Content and Structure of the Computer-Based Patient Record
E1762 Guide for Electronic Authentication of Healthcare Information
E1985 Guide for User Authentication and Authorization
E1986 Guide for Information Access Privileges to Health Information
E2084 Specification for Authentication of Healthcare Information Using Digital Signatures
E2086 Guide for Internet and Intranet Healthcare Security

FIPS 140-1 Security Requirements for Cryptographic Modules
FIPS PUB 180-1 Secure Hash Algorithm
FIPS PUB 186 Digital Signature Standard
FIPS PUB 46-3 Data Encryption Standard
FIPS PUB 74 Guidelines for Implementing and Using the NBS Data Encryption Standard
FIPS PUB 81 DES Modes of Operation
IEEE 802.10 , 1992-1996 (multiple parts)
ISO 8824-1 Specification of Abstract Syntax Notions One (ASN.1)
ISO 8825-1 Specification of Basic Encoding Rules for Abstract Syntax Notions One (ASN.1)
ISO/IEC 10164-7 Information Technology-Open Systems Interconnection-Systems Management: Security Alarm Reporting Function
ISO/IEC 10164-8 Information Technology-Open Systems Interconnection-Systems Management: Security Audit Trail Function
ISO/IEC 10736 Transport Layer Security Protocol
ISO/IEC 11577 Network Layer Security Protocol
ISO/IEC 11586 Generic Upper Layers Security (4 parts)
ISO/IEC 7498-2 Security Architecture
ISO/IEC 8879 Standard Generalized Markup Language (SGML)
ISO/IEC 9595 Information Technology-Open Systems Interconnection-Common Management Information Service Definition
ISO/IEC 9596 Information Technology-Open Systems Interconnection-Common Management Information Protocol Specification
ISO/IEC 9735 Electronic Data Interchange for Administration, Commerce and Transport (EDIFACT)-Application Level Syntax Rules (Parts 5-10)
ITU-T X.509 Directory Authentication
NIST MISPC Minimum Interoperability Specification for PKI Components Version 1
RFC 1510 Kerberos Authentication Service
RFC 1777 Lightweight Directory Access Protocol (v2)
RFC 1945 Hypertext Transfer Protocol
RFC 1964 Kerberos v5 GSS-API Mechanism
RFC 2025 GSS-API Simple Public Key Mechanism (SPKM)
RFC 2078 Generic Security Services Application Program Interface
RFC 2246 The TLS Protocol Version 1.0
RFC 2251 Lightweight Directory Access Protocol (v3)
RFC 2259 Internet X.509 Public Key Infrastructure Operational Protocols-LDAPv2
RFC 2401 Security Architecture for the Internet Protocol
RFC 2402 IP Authentication Header
RFC 2403 The Use of HMAC-MD5-96 within ESP and AH
RFC 2404 The Use of HMAC-SHA-196 within ESP and AH
RFC 2406 IP Encapsulating Security Payload (ESP)
RFC 2407 The Internet IP Security Domain of Interpretation for ISAKMP
RFC 2408 Internet Security Association and Key Management Protocol (ISAKMP)
RFC 2409 The Internet Key Exchange (IKE)
RFC 2440 OpenPGP Message Format
RFC 2451 The ESP CBC-Mode Cipher Algorithms
RFC 2527 Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework
RFC 2560 Internet X.509 Public Key Infrastructure Online Certificate Status Protocol
RFC 2630 Cryptographic Message Syntax
RFC 2631 Diffie-Hellman Key Agreement Method
RFC 2632 S/MIME Version 3 Certificate Handling
RFC 2633 S/MIME Version 3 Message Specification
RFC 2634 Enhanced Security Services for S/MIME
RFCs 1901-1910 Simple Network Management Protocol
X.25 Interface between Data Terminal Equipment (DTE) and Data Circuit-Terminating Equipment (DCE) Operating in the Packet Mode and Connected to Public Networks by Dedicated Circuits
X.500 Open Systems Interconnection: The Directory
X12 Electronic Data Interchange
X12.58 Security Structures (version 2)
X3.92 Data Encryption Standard
X9.30 Part 1 Public Key Cryptography Using Irreversible Algorithms: Digital Signature Algorithm
X9.30 Part 2 Public Key Cryptography Using Irreversible Algorithms: Secure Hash Algorithm (SHA-1)
X9.31 Reversible Digital Signature Algorithms
X9.42 Management of Symmetric Keys Using Diffie-Hellman
X9.44 Key Establishment Using Factoring-Based Public Key Cryptography for the Financial Services Industry
X9.52 Triple DES Modes of Operation
X9.55 Extensions to Public Key Certificates and CRLs
X9.57 Certificate Management
X9.62 Elliptic Curve Digital Signature Algorithm

Index Terms

access control; application security; communications security; cryptography; interoperability; key management; key recovery; local security; security framework; subnetwork security; ICS Number Code 35.240.80

Citing ASTM Standards

[Back to Top]